Skip to content

tracesplit

Jump to bottom
salcock edited this page Dec 19, 2014 · 1 revision

tracesplit will split a trace into a number of smaller tracefiles.

Usage

    tracesplit
            [ -f exp | --filter=exp ]
            [ -c num | --count=num ]
            [ -b num | --bytes=num ]
            [ -i secs | --interval=secs ]
            [ -s unixtime | --starttime=unixtime ]
            [ -e unixtime | --endtime=unixtime ]
            [ -m files | --maxfiles=files ]
            [ -S snaplen | --snaplen=snaplen ]
            [ -z level | --compress-level=level ]
            [ -Z method | --compress-type=method ]
            inputuri [inputuri ...] outputuri

Options

-f, --filter Only output packets that match the bpf filter expression. See tcpdump(1) for the syntax of the bpf filter expression.

-c, --count Output count packets per output file.

-b, --bytes Output num bytes per output file.

-i, --interval Start a new file after secs seconds of trace time.

-s, --starttime Do not output any packets with a timestamp earlier than unixtime.

-e, --endtime Do not output any packets with a timestamp later than unixtime.

-m, --maxfiles Do not create more than files trace files.

-S, --snaplen Truncate packets to snaplen bytes long. The default is to perform no truncation at all.

-z, --compress-level Compress the output trace using the specified compression level, ranging from 0 (no compression) to 9. Higher compression levels require more CPU to compress data. Defaults to no compression.

-Z, --compress-type Compress the output trace using the specified compression method. Possible methods are "gzip", "bzip2", "lzo", "xz" or "none". The default is "none".

Applications

Create a small 10 minute trace from a larger trace:

    tracesplit -i 600 -m 1 erf:longtrace.erf.gz erf:10min_trace.erf.gz

Capture a trace to disk with a one hour file rotation:

    tracesplit -i 3600 int:eth0 erf:trace.erf.gz

Notes

  • If tracesplit produces multiple output files, the output URI is used as the base of the output filename. An identifier is appended to the filename based on the method used to split the trace. For example, if splitting by packet count, this will be a packet counter. If splitting using an interval, this will be the number of seconds since the start of the trace, etc.
  • In libtrace 3.0.9 or later, multiple input traces may be specified on the command line - each is read in turn and split accordingly. This is helpful for applying a filter to an entire traceset, for example.
Clone this wiki locally